When 'password1' just won't do for data safety

In the last few months, we've been hearing a lot about various sites that have had user password data compromised. Most of the compromise could have been avoided if the sites in question had been using the proper methods to protect users' passwords, but regardless of that, what was discovered was that a lot of the users in question were using weak and/or easily guessed passwords.

Moreover, they were using these same passwords for a number of sites, thereby compounding the problem. It's one thing when you're using “Password01” as your password on LinkedIn; it's completely another when you're also using it on Amazon. You've become the low-hanging fruit that hackers love to harvest.

Looking at the number of weak passwords in the lists of compromised accounts, an observer could be forgiven for assuming that the users of these passwords had never heard or read that they should always use strong passwords. However, it's likely that the advice was simply disregarded for one very simple reason: It's hard to remember even one strong password, never mind creating and remembering a different strong password for every site. Since the other always-heard piece of advice on passwords is never to write them down, users tend to decide on the lesser of two evils -- to their thinking -- and choose something they'll remember, and use it over and over.

Because after all, what's the chance that someone will choose to hack them? Very good, unfortunately.

I'm here to tell you that you should write your passwords down ... sort of. Not on a piece of paper, or a text file, but in a password safe; most of the good ones also can generate strong passwords for you. Password safes keep the passwords encrypted and only can be opened with a password -- or in some cases, two-factor authentication, which is better. Yes, it's one more password that you have to remember, but one is better than dozens. In my case, I use a sentence, complete with punctuation, that I am not likely to forget but that few other people would associate with me.

Using a password safe to store complex passwords, and generating a different one for every site you use, immediately ups your security level. However, it's not enough.

Many sites -- Google is a good example of this -- are turning to two-factor authentication instead of relying only on a password. Wherever possible, if two-factor authentication is offered, you should use it; if you use Google Apps for your business, you should make it mandatory for your employees.

In one of my articles on social engineering, I mentioned that Mat Honan was not using two-factor authentication for his Google account. If he had, the hackers who caused all his data to be wiped from his personal devices would have been stopped there. If it's your business data, rather than your personal data, how much more important is it to stop the hackers?

There is no 100% foolproof way to prevent you and your business from being hacked. But good password management will go a long way to keeping the fruits of your labor from being the low-hanging type that hackers love.

Mary Ursula Herrmann

Mary Ursula Herrmann is a Network Security Analyst living in Juneau, AK. She has worked in Information Security for over 15 years, and obtained her CISSP in 2005.